Peter A Clarke

The UK Information Commissioner has taken strong action in the form of a Monetary Penalty Notice of £140,000 for on selling personal information of one million people, from Emma’s Diary, which provides advice on pregnancy and childcare, to Experian Marketing Services, which is used by the Labour Party.  That information was used as a database which was used to profile new mums for use during the 2017 General Election.  The key with data for political parties is to allow them to micro target voters with carefully structured messages.

Under both UK and Australian privacy legislation personal information collected for one purpose can not be disclosed to a third party for another purpose unless one of the exceptions applies.

The actions by Emma’s Diary was particularly cynical given the purpose for which people provide their personal information.  It is also highlights the temptation, if not ravenous demand, for data by political parties to more efficiently shape and target their messages.  In Australia political parties have a carve out from the operation of the Privacy Act.  There is no good policy reason for that.  There are many good reasons to change that.  In Australia a company in Emma Diary’s position would be in breach of the Privacy Act.  The real question here would be whether Australia’s Information Commissioner would take action.  The track record is dismal.

The media release provides:

The Information Commissioner’s Office (ICO) has fined Lifecycle Marketing (Mother and Baby) Ltd, also known as Emma’s Diary, £140,000 for illegally collecting and selling personal information belonging to more than one million people.

The data broking company, which provides advice on pregnancy and childcare, sold the information to Experian Marketing Services, a branch of the credit reference agency, specifically for use by the Labour Party. Experian then created a database which the party used to profile the new mums in the run up to the 2017 General Election.

The Labour Party was then able to send targeted direct mail to mums living in areas with marginal seats about its intention to protect Sure Start Children’s centres.

The ICO investigation found that Emma’s Diary’s privacy policy did not disclose that the personal information given would be used for political marketing or by political parties. This is a breach of the Data Protection Act 1998.

Elizabeth Denham, Information Commissioner said:

“The relationship between data brokers, political parties and campaigns is complex. Even though this company was not directly involved in political campaigning, the democratic process must be transparent.”

This case formed part of the ICO’s comprehensive investigation into data analytics for political purposes. The ICO announced its intention to fine Emma’s Diary when it published its interim investigation report on 11 July. Representations from the company have been considered and today’s announcement confirms the monetary penalty.

The partner policy report, Democracy Disrupted? Personal information and political influence, sets out how the ICO aims to stop personal data being used incorrectly in campaigns during future elections.

Ms Denham continued:

“All organisations involved in political campaigning must use personal information in ways that are transparent, lawful and understood by the UK public.”

The ICO has put the UK’s 11 main political parties on notice to have their data-sharing practices audited later this year. The ICO also has outstanding enquiries with a number of data brokers, including Experian.

Ms Denham added:

“The ICO is committed to monitoring data brokers, political parties and online platforms and using new audit and enforcement powers so that the public can have confidence that parties and political campaign groups are complying with the law.”

The Monetary Penalty Notice relevantly provides:

Paragraphs 24 – 31

24.As set out above, the “fairness” requirement under DPPl included a transparency duty: controllers were required to provide or make available to data subjects information about (inter alia) the  purposes for which their personal data will be used. LCMB failed to comply with that transparency duty in this case. It  did  not  provide or make available to the affected data subjects information about the potential disclosure of their personal data to the Labour Party or to anyone else who might use that data for the purposes of political

25.  The “fairness” requirement under DPPl also included  a substantive duty to treat individuals fairly when using their personal data. In particular, fairness involves adhering to individuals’ reasonable expectations of how their data will be used and not using their data in ways that risk causing them damage or distress, unless there is some sufficiently weighty justification for doing so. LCMB failed to use the personal data of the affected data subjects fairly in this case. As indicated above, the data subjects would not reasonably have expected their personal data to be disclosed to  a political party  for the purposes of political marketing. Given in particular the party-political use of this data, this disclosure risked causing distress to some affected data subjects. LCMB had no adequate justification for acting as it did. Its actions appear to have been motivated by financial gain.

26.The extracts from LCMB’s privacy policy set out above suggest that LCMB sought to justify its disclosure of personal data to third parties for marketing purposes by reference to condition 1 from Schedule 2, namely the consent of the data subjects. The Commissioner’s assessment is that this condition was not met here. These “consents” were not specific and informed, given that the data subjects were not told that their data may be shared for the purposes of political marketing by the Labour Party or any other

27.The only other potentially applicable condition from Schedule 2 in such cases is condition 6(1) (legitimate interests). The Commissioner’s assessment is that this condition was not met here either. Given its failure to inform data subjects that their personal data may be shared with the Labour Party or indeed for any political purposes, the balance of interests entailed by condition 6( 1) tipped against

28. The Commissioner’s assessment is thus that no condition from Schedule 2 to the DPA was satisfied in this

29. For those reasons, the Commissioner’s assessment is that LCMB’s disclosure of the personal data contained in the 1,065,220 records provided to the Labour Party (via Experian) in May 2017 contravened DPPl in that:

(1) The disclosure was unfair, in that the data subjects were not provided with information about the potential disclosure of their personal data for use by the Labour Party or to anyone else who might use that data for the purposes of political

(2) The disclosure was also unfair in that it contravened the reasonable expectations of the data subjects and exposed at least some of them to potential distress without any adequate justification.

(3) Neither the consent condition, nor the legitimate interests condition, nor any other condition from Schedule 2 to the DPA was

30. The Commissioner is satisfied that LCMB was responsible for this contravention of DPPI

31. For completeness, the Commissioner adds that, in her view, the processing outlined above  was also likely  to contravene  the “lawfulness” requirement under DPPl: it is likely that LCMB’s disclosure contravened the affected individuals’ rights under Article 8 of the European Convention on Human Rights. In addition, DPP2 is likely to have been contravened: disclosure for the purposes of party-political marketing and insight is in the Commissioner’s view incompatible  with the purposes for  which this data  was collected,  as outlined in the privacy notices cited above. In  the  Commissioner’s view, however, those additional aspects of the contravention add little to the contravention of DPPl already set out at paragraph 29 above. She therefore does not need to address those additional aspects further here.

The Commissioner regarded the contravention would cause substantial damage or distress because, at 35:

(1) LCMB’s privacy notices contained reasonably clear descriptions of the kinds of third parties who might receive personal data from LCMB. At least some of the affected data subjects are likely to have been distressed by this failure to adhere to their expectations about how their data would be used. At least some data subjects would reasonably feel

(2) The Commissioner notes that the data supply agreement between LCMB and Experian refers to disclosures for the purposes of postal communications and “insight”. An affected data subject may reasonably infer that the Labour Party was subjecting her to a degree of profiling for political ends and without her knowledge. LCMB deliberately facilitated this. This is likely to be distressing to at least some affected data subjects.

(3) Political views and affiliations are liable to touch on some individuals’ sense of identity and/or private views. Some may reasonably be strongly opposed to being targeted for party­ political marketing based on their particular family circumstances. They may reasonably consider this to be invasive.

(4) In addition, given that LCMB failed to be transparent with the data subjects about this disclosure, the data subjects may well have been distressed by uncertainty as to how the Labour Party obtained information with which to target them based on their personal circumstances.

(5) This sense of distress is likely to have been exacerbated by the fact that it focused on the affected data subjects’ status as new mothers, as well as on their young children. It is highly  likely that at least some affected data subjects would have been distressed by the inclusion of their children’s personal data in a party-political database – even for a limited period – without the knowledge or consent of their parents.

(5) At least some of the affected data subjects are likely to be distressed by the perceived loss of control over their data when it was sent to Experian for inclusion in a Labour Party database for the purposes of both postal marketing and “insight”.

(6) Given the considerations outlined above and the number of affected data subjects, it is likely that the “substantial distress” threshold was crossed here.

To make matters worse the Commissioner found there was a failure to take reasonable steps because, at 36:

(1) LCMB was aware of the terms of its own privacy notices. It should have been readily aware that those terms did not contemplate disclosure for these purposes.

(2) LCMB knew its customer base. It knew why they signed up for Emma’s Diary and what kinds of marketing communications they normally received from third parties at LCMB’s behest. It should have been very clear to LCMB that this disclosure contravened those norms and expectations.

(3) In particular, if this was the first occasion on which LCMB shared data for such purposes, it should have considered whether this novel and unusual activity complied with its data protection obligations.

(4) Given its own knowledge of its customer base and the common­ sense considerations summarised at paragraph 35 above, it should have been readily apparent to LCMB that this disclosure was likely to cause substantial distress to at least some affected data subjects.

(5) As referred to above, it appears that LCMB amended its privacy policy in January 2018 in an attempt to provide for such a disclosure to a political party. This shows that LCMB was alive to the kinds of steps that would be needed to avoid contraventions of the DPA in such circumstances, but it failed to take any such steps before disclosing these records in May 2017. 

(6) LCMB could also have contacted the affected data subjects to seek their consent before making this disclosure, but it failed to do so.